A Constructive Perspective on Signcryption Security

Christian Badertscher, Fabio Banfi, and Ueli Maurer

Signcryption is a public-key cryptographic primitive, originally introduced by Zheng (Crypto '97), that allows parties to establish secure communication without the need of prior key agreement. Instead, a party registers its public key at a certificate authority (CA), and only needs to retrieve the public key of the intended partner from the CA before being able to protect the communication. As suggested by the name, signcryption schemes provide both authenticity and confidentiality of sent messages and are motivated like their symmetric-key counterparts, i.e., authenticated-encryption schemes: better achievable performance compared to generic compositions of signature and encryption schemes, and a simpler interface to applications.

Although introduced two decades ago, the question which security notions of signcryption are adequate in what applications has still not reached a fully satisfying answer, even for the basic ones. To address this question, we conduct a constructive analysis of this public-key primitive. Similar to previous constructive studies for other important primitives, this treatment allows to identify the natural goal that signcryption schemes should achieve and to formalize this goal in a composable language. More specifically, we capture the goal of signcryption as a gracefully-degrading secure network, which is basically a network of independent parties that allows secure communication between any two parties. However, when a party is compromised, its respective security guarantees are lost, while all guarantees for the remaining users stay unaffected. We show which security notions are sufficient to realize this kind of secure network from a certificate authority (or key registration resource) and insecure communication. As a finding of independent interest, our treatment shows that a weaker notion of the traditional insider security notion is actually sufficient.

Last but not least, our study unveils that the graceful-degradation property is actually an essential feature of signcryption that separates it from alternative and more natural constructions that achieve a secure network from the same assumptions. This shows the vital importance of the insider security notion for signcryption and strongly supports, in contrast to the initial belief, the recent trend to consider the insider security notion as the standard notion for signcryption.